Re: [Django] #36825: CSP nonces are not applied in the Django admin

Tue, 23 Dec 2025 14:27:08 -0800 

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
     Reporter:  Carsten Fuchs        |                    Owner:  Kundan
                                     |  Yadav
         Type:  New feature          |                   Status:  assigned
    Component:  contrib.admin        |                  Version:  6.0
     Severity:  Normal               |               Resolution:
     Keywords:  CSP, nonce, admin    |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by Rob Hudson):

 This is a subtle issue with regards to the nature of `strict-dynamic`.

 The admin templates would need to add conditional nonce attributes to all
 script tags (both external and inline). For example:

 Current (admin/base.html:9)

 {{{
   <script src="{% static "admin/js/theme.js" %}"></script>
 }}}

 Should be:

 {{{
   <script src="{% static "admin/js/theme.js" %}"{% if csp_nonce %}
 nonce="{{ csp_nonce }}"{% endif %}></script>
 }}}

 This would allow things to work in the following 4 scenarios. Currently it
 seems Django 6.0
 1. when CSP middleware is not enabled (nonce is falsy, not added to header
 or script tags)
 2. when CSP is enabled without nonces (nonce not accessed, not added to
 header or script tags)
 3. when CSP uses nonces (nonce added to both tag and header)
 4. when CSP uses nonces with `CSP.STRICT_DYNAMIC` (nonce added to both tag
 and header)

 The difference between 3 and 4 is that 3 would allow host-based allowlists
 and keyword allowlists to work. When `CSP.STRICT_DYNAMIC`, host-based
 allowlists and keyword (e.g. `CSP.SELF`) allowlists are ignored, so admin
 scripts would then require nonces.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019b4d52a385-0aae82f2-73df-4fa0-b369-4fe54fe6eac2-000000%40eu-central-1.amazonses.com.

Reply via email to